Cybersecurity expert says little risk from Butler data breach

The Schrott Center for the Performing Arts on the Butler campus in Indianapolis before the grand opening on April 18, 2013.
(Photo:
Matt Detrich / The Star file photo
)

A hacker may have stolen information related to about 163,000 students, faculty, staff, alumni and applicants of Butler University, but a cybersecurity expert says those affected should not worry too much.

"You might think (your Social Security number) is a secret," said Fred Cate, director of Indiana University's Center for Applied Cybersecurity Research, "but it's the worst-kept secret in the world."

Yes, he says there is some risk in a data breach. "It's just not a nuclear device like people talk about it being. If it were, every time you saw a breach of 100,000 people's data, you would expect to see close to 100,000 cases of identity theft instead of about two out of 100,000."

Police contacted Butler officials on May 28 to alert them to an investigation of possible identity theft involving about 163,000 people with ties to Butler, according to documents provided to The Indianapolis Star by university spokesman Marc Allan. Butler President Jim Danko warned those potentially affected in a Thursday letter.

The investigation originated in California, the letter said. The "suspect had in his possession a flash drive containing the information of certain Butler University employees."

Further investigation turned up indications of "unauthorized hacking" into Butler's computer network between November 2013 and May 2014, according to the letter.

"Third-party computer forensics experts" verified the apparent hacking, Danko wrote, before the university sent out notification letters to those affected.

The letter advises the potential identity-theft victims of steps they can take to protect themselves from possible damages caused by the breach, including a free one-year membership in an identity theft protection service courtesy of Butler.

The hacked files contain names, birth dates, Social Security numbers and bank-account information, officials said. Alumni whose information could have been tapped include those who graduated as far back as 1983, Allan said.

The suspect had no connections to Butler, he added.

"Please know that we are taking steps that will prevent this from happening again in the future," Danko wrote, "and that the safety and security of your personal information remains a top priority for Butler University."

One former Butler student was stunned to receive the letter informing her of the breach.

"At first I thought it was a scam," said Kimberly Somermeyer, 55, Homecroft. " I graduated from Purdue in 1982 and took one master's level science course at Butler in the fall of 1983."

Despite the frustration, Somermeyer kept a sense of humor about the breach.

" I wish the hackers would let me know what my grade was at Butler," she said. "I have since forgotten."

Universities have been seeing more targeted data breaches like this one, cybersecurity expert Cate said. Earlier this year, IU reported a security lapse may have exposed personal information of about 146,000 students and graduates. Names, addresses and Social Security numbers were inadvertently stored on an unprotected site, the university said.

Universities have a lot of personal data. Students fill out financial aid forms. Employees use on-site daycares. Patients visit university hospitals.

And it's tough for universities to lock down that information, Cate said, because they typically open their network to so many students, faculty and visitors.

"Data is just becoming so omnipresent in our lives," he said. "It's impossible to nail it all down."

Your name and address are in the phone book. Your birthday is on public records such as voter registration. You hand your credit card to a waiter in a restaurant, who disappears with it before bringing it back. You recite your Social Security number to the doctor, your employer, your utility company.

In the end, he estimates usually less than 10 percent of people sign up for the free credit monitoring that is offered after a data breach.

Cate says being involved in a data breach makes "almost no appreciable difference" in whether you become a victim of identity theft.

Most stolen data is never used, Cate said. In the sophisticated cases of data theft, the personal information might get sold on the Internet. But, he said, "It's not as easy to exploit the data as people might think."